Forced to work from home without in-person access to information, minimal human interaction, and limited IT support, “disrupted employees” have no choice but to utilize unprotected home networks and personal devices often shared by family members. Burdened by new layers of stress caused by the pandemic and greater pressure to get the job done, they are unaware of the cybersecurity risk of searching, downloading, and sharing content including company intellectual property. The distractions that come from a work-from-home environment can also derail important habits critical to protecting against cyber threats — using strong passwords, maintaining digital hygiene, patching computers, and updating mobile software.
While more than 70% of companies surveyed by Malwarebytes scored themselves high for their readiness to transition employees to work from home, nearly half admitted to not providing cybersecurity training about potential threats. And yet, study after study shows that the overwhelming majority of cyber breaches share one variable in common: human error. Whether failing to install software security updates, not knowing the risks of public Wi-Fi networks, or giving up sensitive information to phishing emails, no amount of sophisticated anti-malware, spam filters or detection software can protect against human error.
The risk can be costly. According to the IBM Security’s 2020 “Cost of a Data Breach Report,” having a remote workforce was found to increase the average total cost of a data breach by $137,000, for a total global average cost of $3.86 million in 2020. At the same time, ransomware hacking groups are getting more aggressive and greedier. The average demand for a digital extortion payment shot up in the first quarter of this year to $220,298, up 43% from the previous quarter as reported in the Coveware “Quarterly Ransomware Report.” Compounding the threat is the steady rise in the number of ransomware attacks that included a threat to publish stolen data — 77% in the first quarter of this year, which is up 10% compared to the last quarter of 2020.
Chief information security officers (CISOs), once perceived as on-call crisis managers, are now responsible for building resilient organizations armed with the right technology solutions, employee compliance, and organizational policies and practices that will level the playing field against attackers. These ultimate protectors of people, assets, infrastructure, and technology are also leading the transformation of the post-pandemic workplace that will continue to be a mix of on-site and remote digital workers.
In the fight against cyber threats, the best defense is a good offense. Leaders of the most protected companies recognize that simple quick fixes to minimize human error are not enough, nor are stand-alone, well-crafted policies based on trust. The real impact comes from creating and maintaining a culture of well-informed, self-regulating, and motivated employees at every level of the organization who are empowered to serve their role as warriors in the fight against cyberattacks every day.
The foundation of effective employee cybersecurity training should meet three key criteria:
1. Build and maintain a cybersecurity knowledge base. Terms such as spam, phishing, malware, ransomware, and social engineering should become part of the company vernacular. Keep employees in the know about how this issue is evolving both within your organization and around the world.
2. Teach cause and effect. Employees should fully understand the financial, operational, and reputational costs of these threats to the organization. Sharpen decision-making skills and establish a clear link between their behavior and outcome.
3. Provide an ongoing “safe place” for making mistakes. Training should be interactive and immersive so as to provide a safe environment for employees to test their knowledge without fearing the consequence of a mistake. Better they get tricked into downloading malware in a safe scenario-based training exercise as opposed to in real life.
I’ve seen many companies building upon the foundation of cybersecurity training with games, simulations, and interactive videos:
• Microsoft’s “Security Adventure” challenges employees to work together to investigate a cyberattack on their company.
• IBM’s “Cybersecurity Ops: Terminal” put employees in multiple roles such as an IT analyst, a general manager, and a chief information security officer. In all cases, employees must troubleshoot suspicious situations.
• PWC’s “Game of Threats” simulates the speed and complexity of a real-world cyber breach and teaches employees the steps they can take to protect their company.
To ensure optimal success, companies are best served to focus on objectives of memorization, judgment and strategy.
The pandemic may have caused an increase in cyber threats and disrupted the workplace, but in doing so it accelerated the all-important development of long-term cybersecurity strategies while raising awareness of the prevalence of human error. Investing in employee cybersecurity training and preparedness can no longer be a nice-to-have. The sooner employees become armed and dangerous fighters in the war on cybersecurity, the sooner we’ll see a permanent shift in who holds the power.
First Published for Forbes Human Resources Council by The Game Agency’s Head of Creative Strategy & Innovation Stephen Baer as a member of Forbes Human Resources Council Member